Intellectual Property, Data Privacy, and Data Communication

This Addendum (“Addendum”) applies to all Products and Services provided by Aotu (“Company”) to the Customer and forms part of the Sales Contract. In the event of any inconsistency between this Addendum and the Sales Contract, the provisions of this Addendum shall control.

1. Intellectual Property

Company retains all rights, title, and interest in and to its intellectual property, including but not limited to hardware, software, algorithms, services, and related technology. All developments, modifications, or improvements—whether arising from Customer discussions, use case analysis, algorithm training using Customer data, or configuration adjustments—shall remain the exclusive property of Company.

Customer receives only a limited, non-exclusive license to use the Products and Services for its internal business purposes, subject to the terms of the Sales Contract and this Addendum.

2. Data Privacy, Security, and Ownership

2.1 Data Ownership

All data collected by the AI Video Safety/Security System—including images, videos, license plate information, email addresses, and phone numbers, whether stored locally or in the cloud—shall remain the sole property of Customer, subject to applicable law and Section 2.4 below.

2.2 Data Security

All physical devices (including AI computers, NVRs, and cameras) are installed on Customer’s premises and remain Customer property. After delivery and acceptance, Customer is solely responsible for physically securing such devices. Company continually reviews the security of its software and makes available updates and technical guidance via its website. If Customer subscribes to Company maintenance services, Company will provide security updates and technical support. Otherwise, Customer is solely responsible for timely application of updates, following Company’s published guidance.

2.3 Data Privacy

Data collected by the system may capture private or personally identifiable information. Customer is solely responsible for complying with all applicable privacy, data protection, and related laws, and for ensuring the protection of individual rights. Company makes no representation or warranty regarding Customer’s compliance.

2.4 Law Enforcement

All data—including incident video footage, investigation reports, images, and text—may be used by Customer to assist law enforcement investigations.

Company is not responsible for providing such data directly to any third party, including law enforcement, except as legally required. If Company is legally compelled to disclose Customer data stored on its systems, it will notify Customer of such disclosure to the extent legally permissible.

3. Data Communication and Storage Authorization

Customer may select one or more of the following authorizations. I understand that choosing not to authorize may limit or disable certain services, including but not limited to: Real-time alerts and notifications (email, mobile, siren) Daily or periodic reports Incident investigations by Company experts AI system maintenance, customization, and support Site surveys or incident scene walkthroughs

  • I do not authorize remote access or data transfer.

    I do not authorize remote access to, or transfer of, data from the on-premises AI system.

  • I do not authorize cloud storage.

    I do not authorize Company to copy or transfer data to Company cloud systems. I understand this may limit Company’s ability to provide AI Video Safety/Security Services. If I authorize cloud storage separately, I acknowledge that:

    • Data remains my property.
    • Company employs industry-standard protection measures, but no system is infallible.
    • In the event of a data breach, Company will mitigate risk and notify me promptly.
    • Company shall not be liable for breaches beyond its reasonable control, to the extent permitted by law. Revocation of authorization must be in writing; removal of data may take up to thirty (30) days.
  • I do not authorize third-party integrations (e.g., email notifications).

    If Customer’s authorized users choose to connect the system with a third-party service (e.g., signing in with a third-party account to enable email notifications), the following terms apply:

    A. How the System Uses Integrated Data

    Authorizing an integration allows the system to access data from the third-party service to enable core features. When an alarm is detected, the system uses the connected account to send real-time notifications. The system also allows authorized users to send commands back to the server by replying to these notifications (e.g., 'mute alert'). To provide this functionality, the system uses connected account data as follows:

    • To Read, Compose, and Send Emails: This permission is required to send alert notifications from the system using the connected account (e.g., Gmail) and to receive user email replies containing commands.
    • To Manage Pub/Sub Subscriptions: To process command replies in real-time, the system may use a service like Google Cloud Pub/Sub, which allows the server to be instantly notified when a command is sent via email.

    B. How We Share and Disclose Integrated Data

    For Self-Hosted or Customer-Managed Systems:
    If the Customer owns and manages the system, all data from the connected third-party account resides exclusively on the Customer's server. Company does not have access to, store, or share any of this data.

    For Rented or Company-Managed Systems:
    If the system is hosted or managed by Company, we act as the data custodian. We do not sell, rent, or trade personal information. We only share data, including from third-party services, in the limited circumstances described below:

    • Service Providers: We work with third-party companies that provide services on our behalf, such as cloud hosting. These providers only have access to the information necessary to perform their functions and are contractually obligated to protect your data.
    • For Legal Reasons and Safety: We may disclose your information if we believe it's required by law, regulation, legal process, or governmental request; to enforce our user agreements; and to protect the safety and security of our users and our service.
    • In Case of a Business Transfer: If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

    Our use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

    C. Data Retention, Deletion, and Access Control for Integrations

    Revoking Access
    Authorized users can disconnect a third-party account at any time within the system's settings. This revokes the system's authorization token and prevents future access but does not automatically delete data already stored on the server.

    Data Retention and Deletion
    For Self-Hosted Systems: As you control the server, you are responsible for deleting any stored data.
    For Rented or Company-Managed Systems: Data is automatically pruned based on settings configured by the Customer. The Customer can request the permanent deletion of account data by providing a written request. Deletion will be completed within 30 days, unless retention is required by law.

4. Governing Effect

This Addendum shall govern in the event of any inconsistency, ambiguity, or conflict with the Sales Contract.

Acceptance

Customer

Printed Name: __________________________

Title: __________________________________

Signature: ______________________________

Date: __________________________________